I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

Aside from uncrackable passwords, there may be few legal barriers stopping police from cracking a suspect’s phone, says Hanni Fakhoury, an attorney with the Electronic Frontier Foundation. A suspect may in some cases refuse to give police the password to a device, pleading the fifth amendment that protects against self-incrimination. But when police have a search warrant, it often gives them the right to access the device without the suspect’s cooperation, even if that means cracking security measures. In California and other states, police can legally search phones even without a warrant, though courts around the country are still producing conflicting rulings on the issue.

“If police have a warrant to be in the phone, this is just a way to get access to what they’re legally allowed to,” Fakhoury says of the XRY tool. “But if they’re going to a protest and seizing folks for booking, and immediately running this on their phones and sucking everything out, we’ve got a real problem.”

Micro Systemation’s Dickinson says that it strictly adheres to export control laws that limit which governments it can sell to. But beyond those export restrictions, the company leaves it up to its customers to adhere to local laws. ”Once it’s approved for supply, it’s down to the laws of that country,” says Dickinson. “Hopefully its use is in proportion to what’s required.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

All they are doing is jailbreaking the phone and running a brute force password crack on it.

Once an iPhone is jailbroken anything on it is fair game, the act of jailbreaking is the bit that circumvents the security controls as it then allows execution of arbitratry code, including in this case extracting the hash for the passcode and brute forcing it.

Jailbreaking an iPhone is consumer grade stuff, you don’t need to be any sort of expert to do it, just download the latest tool from the iPhone Dev Team.

The only reason the attack actually works is that most people don’t change the default length of the passcode on their phones. As the company spokesman himself pointed out, using longer pin codes makes this approach invalid as the time taken to crack an 8 alphanumeric code is exponentially longer than that for a 4 digit code. Think years rather than minutes.

The pin code works the same as the iPhone version, digits hashed and stored in the phone.

The Gesture codes work by generating a string of coordinates based on the finger movement that is then hashed with the same encryption key as the pin code. By it’s very nature this generates much longer hashed codes which are harder to brute force.

However currently there is no way (that I am aware of, I could be wrong) to root an Android phone without first having access to it to enable the USB debugging feature that allows files to be uploaded to the phone in order to root it. This is why the FBI are getting court orders to force google to hand over Google ID details of a suspect to get access to his phone.

Events are playing out like when the cops could not handle pagers…and busted locksmiths. Maybe someone will allow the regular users of the Internet, to employ at least a party line type communications network so we can still communicate. One minus the uS government and commercial banks. Patents and copyright laws sure have not applied to the users of the devices they purchased.I personally am amazed, I can still eat some foods from the uS and not worry what eventually may happen. Everyone smile…and have a enjoyable day. I am still going to support bit coins and other forms of alternative currency in the uS…and that’s final.